[Ietf-dkim] Re: ELI5: DKIM2 and DMARC

Fri, 21 Mar 2025 09:36:20 -0700 

On 3/21/2025 10:12 AM, Todd Herr wrote:
On Fri, Mar 21, 2025 at 11:05 AM Mark Alley <mark.alley=40tekmarc....@dmarc.ietf.org> wrote: 

    If Joe Schmoe, an email administrator, signs corporate mail with
    DKIM2 but have other mail streams that may not support it, or
    legacy systems incapable of using it, would not DMARC still be
    needed to apply/report to/for these other mailstreams in that
    scenario, or to protect from external entities trying to spoof the
    domain?

    I've perused the draft, and unless I'm missing text somewhere, I
    don't see where DKIM2 would fulfill the policy request for
    unauthenticated emails, unless you're saying that DKIM2 usage (or
    lack thereof) would be akin to ADSP-esque behavior in some way?



I think you're describing a world where a Domain Owner authorizes some 
mail streams using DKIM2 and some mail streams using SPF/DKIM as is 
done today.  Obviously DMARC has a place in the authentication of 
those latter streams, layered on top of SPF/DKIM as it is now, but 
that's not the world I'm thinking of here.



I'm thinking instead of a world where "DKIM2" exists and is 
effectively the only authentication protocol and its specification 
says "Receivers SHOULD reject messages that fail DKIM2 validation".


What role could DMARC play in *that* world?

--
Todd Herr
Some Guy in VA LLC
t...@someguyinva.com
703-220-4153
Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8

______________________________________


I see what you're getting at now.


So, in this world, every MTA supports DKIM2 and it's the only 
authentication protocol in use... but:


 * what would happen if someone intentionally made an MTA that did not
   use it?
 * would mail from this system be reported on (via FBLs) by mail
   providers supporting DKIM2-auth only?
     o would it be delivered or rejected?
 * Is the lack of DKIM2 usage in this world the same as "failing DKIM2"?


In an ideal state and vacuum, I am led to a similar initial thought that 
it /might /seem DKIM2 could make DMARC redundant given the right 
scenario, but I partially agree with Mike; it's somewhat difficult to 
postulate and ponder without more clarity on the protocol.


- Mark Alley

_______________________________________________
Ietf-dkim mailing list -- ietf-dkim@ietf.org
To unsubscribe send an email to ietf-dkim-le...@ietf.org























					Reply via email to